from the I-mean,-they'll-still-use-both... dept

At the time the Investigatory Powers Bill was passing through Parliament – it was signed into law in 2016 – EI [Electronic Interference] hadn't been used, but it was already seen an alternative to bulk interception.

However, it was expected to be authorised through targeted or targeted thematic warrants; as then-independent reviewer of terrorism David Anderson wrote at the time, "bulk EI is likely to be only sparingly used".

[...]

During the passage of the Investigatory Powers legislation, he said, the government anticipated bulk EI warrants would be "the exception", and "be limited to overseas 'discovery' based EI operations".

But with encryption increasingly commonplace, the spies want the exception to edge towards becoming the rule.

"Used sparingly" is now "used by default." Why? The good old baddie, encryption. A letter [PDF] written by security minister Ben Wallace says encryption is making bulk data collections less useful.

Following a review of current operational and technical realities, GCHQ have revisited the previous position and determined that it will be necessary to conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged.

The lawfulness depends on the "double lock" process. The government alone can't give GCHQ permission to engage in bulk EI. There's a judge involved now, making this more of a warrant process than a subpoena process, to make a somewhat clumsy analogy. According to this report, bulk EI is still waiting in the wings. If true, it's a good thing because the double-lock process didn't actually go into effect until the end of November.

What bulk EI is remains somewhat of a mystery. But some of what's described in a 2016 report [PDF] containing several hypotheticals sounds like a lot of large-scale intrusion, ranging from Stingray-esque device location to tactics that have been left up to the imagination thus far.

Intelligence from sources including bulk interception identified a location in Syria used by extremists. However the widespread use of anonymisation and encryption prevented GCHQ from identifying specific individuals and their communications through bulk interception. GCHQ then used EI under an ISA authorisation (under the Bill this would be done using a targeted thematic EI warrant) to identify the users of devices in this location.

A group of terrorists are at a training camp in a remote location overseas. The security and intelligence agencies have successfully deployed targeted EI against the devices the group are using and know that they are planning an attack on Western tourists in a major town in the same country, but not when the attack is planned for. One day, all of the existing devices suddenly stop being used. This is probably an indication that the group has acquired new devices and gone to the town to prepare for the attack. It is not known what devices the terrorists are now using. The security and intelligence agencies would use bulk EI techniques to acquire data from devices located in the town in order to try to identify the new devices that are being used by the group.

Whatever bulk electronic interference ends up being when it's actually deployed, GCHQ is sure of one thing: the less it knows about its targets, the more justified it is using it in bulk.

As the cell members can only be identified following considerable target discovery effort, a bulk EI warrant is suitable.

Whatever civil liberties concerns this program raises will probably be dismissed quickly. GCHQ's hypotheticals involve terrorism suspects overseas and child porn site operators -- the least sympathetic targets available. Foreigners are fair game for bulk anything and no one wants to side with child exploiters, even if they technically share the same civil liberties/rights.

The exception is the rule. This is how it works for those who promise the most worrying aspects of surveillance programs will be saved for the edge cases. Sooner or later, the edge cases are just cases, and no one is interested in walking anything back.

from the 'those-DOJ-guys-are-real-straight-shooters' dept

Three years after its inception, a prosecution involving possibly unlawful FISA-authorized surveillance, hints of parallel construction, and a very rare DOJ notification of Section 702 evidence has reached a (temporary) dead end. The defendants challenged the evidence on multiple grounds -- many of which weren't possible before the Snowden leaks exposed the breadth and depth of the NSA's domestic surveillance.

The federal judge presiding over the case -- which involved material support for terrorism charges -- has declared there's nothing wrong with anything the NSA or FISA Court did, so long as the surveillance was authorized and possibly had something to do with national security. (via FourthAmendment.com)

First, the defendants -- all accused of providing material support to Al Qaeda (remember them?) -- asserted the constitutionality of the NSA's upstream collections should be revisited in light of the Snowden leaks. The court [PDF] says these more-recent exposures are no reason to upset the precedential apple cart.

Controlling precedent decides this issue. In 2005, the Sixth Circuit rejected a Fourth Amendment challenge to FISA's procedures. The court explained in Damrah that the defendant's Fourth Amendment challenge lacked merit, as "FISA has uniformly been held to be consistent with the Fourth Amendment." Damrah has not been overturned or altered in light of the public disclosures regarding PRISM and upstream collections. And consequently, Damrah forecloses Defendants' constitutional challenge.

So, to add this all up: leaked documents from 2013 onward, exposing routinely-abused programs that massively expanded following the 2008 FISA Amendments Act, mean nothing when stacked up against a 2005 case predating the NSA's admissions of surveillance abuse and the exposure of the FBI's backdoor searches of domestic communications.

Furthermore, the court declares -- based on documents provided by the government directly to the court, but not to the defendants (in ex parte hearings) -- the FISA-authorized surveillance was on the up-and-up because the government provided documents declaring the FISA-authorized surveillance was on the up-and-up.

The court is sympathetic to those on the other side of the deck it helped stack, but only barely.

I recognize the challenge faced by a defendant in making a substantial preliminary showing that a FISA application contains a false statement when the defendant does not have access to the application. But the threshold burden exists nonetheless. [...] And here, Defendants have failed to satisfy that burden.

Oddly, the court then decides, after pulling from a 2005 decision and ignoring every FISA-related development since then, that previous domestic surveillance violations by the FBI have no bearing on this case.

The Government's errors from more than a decade ago [referring to a 2004 IG report about post-9/11 surveillance] do not amount to a substantial preliminary showing that an application for FISA collection relevant to this case contains a false statement which was knowingly or recklessly made and necessary to the finding of probable case.

Yes, this is true. These are not comparable things. But with the defendants unable to review the FISA applications, they're left with the judge's take as guided by government submissions -- submissions the defendants are also unable to review or even argue.

As for the Fourth Amendment challenge to Section 702 surveillance generally, the court says there's really no Fourth Amendment issues as this does not apply to "aliens in foreign territory." The court goes even further, though, suggesting the collection of communications outside of the country does not even require a warrant, even if it "inadvertently" sweeps up Americans' communications during the process.

Since the court has also unilaterally decided it can -- unaided by anyone but the government -- decipher the government's FISA-related submissions, there are no due process violations even if the defendants are prevented from viewing, analyzing, or rebutting the claims made by the government during these ex parte sessions. In the end, there's nothing left for the defendants to do but appeal, which will certainly happen what with the court dismissing out of hand the evidence provided by multiple leaked documents and documents officially released by the Director of National Intelligence. To buy the government's claims of above-board surveillance in secret court sessions and declare those NATSEC Kosher seems like a very close-minded move that grants the government more deference than documents the government released publicly itself shows it has earned.

from the well-of-course-it-does dept

Yet another vindication of Ed Snowden. Soon after some of the documents he leaked as a whistleblower revealed that the UK's GCHQ was conducting mass surveillance, a variety of human rights groups filed complaints with the European Court of Human Rights. It's taken quite some time, but earlier today the court ruled that the surveillance violated human rights, though perhaps in a more limited way than many people had hoped.

At issue were three specific types of surveillance: bulk interception of communications, sharing what was collected with foreign intelligence agencies, and obtaining communications data (metadata) from telcos. The key part of the ruling was to find that the bulk interception of communications violated Article 8 of the Human Rights Act (roughly, but not exactly, analogous to the US 4th Amendment). It was not a complete victory, as the court didn't say that bulk interception by itself violated human rights, but that the lack of oversight over how this was done made the surveillance "inadequate." The court also rejected any claims around GCHQ sharing the data with foreign intelligence agencies.

In short, the court found that bulk interception could fit within a human rights framework if there was better oversight, and that obtaining data from telcos could be acceptable if there were safeguards to protect certain information, such as journalist sources. But the lack of such oversight and safeguards doomed the surveillance activity that Snowden revealed.

Operating a bulk interception scheme was not per se in violation of the Convention and
Governments had wide discretion (“a wide margin of appreciation”) in deciding what kind of
surveillance scheme was necessary to protect national security. However, the operation of such
systems had to meet six basic requirements, as set out in Weber and Saravia v. Germany. The Court
rejected a request by the applicants to update the Weber requirements, which they had said was
necessary owing to advances in technology.

The Court then noted that there were four stages of an operation under section 8(4): the
interception of communications being transmitted across selected Internet bearers; the using of
selectors to filter and discard – in near real time – those intercepted communications that had little
or no intelligence value; the application of searches to the remaining intercepted communications;
and the examination of some or all of the retained material by an analyst.

While the Court was satisfied that the intelligence services of the United Kingdom take their
Convention obligations seriously and are not abusing their powers, it found that there was
inadequate independent oversight of the selection and search processes involved in the operation,
in particular when it came to selecting the Internet bearers for interception and choosing the
selectors and search criteria used to filter and select intercepted communications for examination.
Furthermore, there were no real safeguards applicable to the selection of related communications
data for examination, even though this data could reveal a great deal about a person’s habits and
contacts.

Such failings meant section 8(4) did not meet the “quality of law” requirement of the Convention
and could not keep any interference to that which was “necessary in a democratic society”. There
had therefore been a violation of Article 8 of the Convention.

The court also found that acquiring data from telcos violated Article 8 as well, for similar reasons.

It first rejected a Government argument that the applicants’ application was inadmissible, finding
that as investigative journalists their communications could have been targeted by the procedures in
question. It then went on to focus on the Convention concept that any interference with rights had
to be “in accordance with the law”.

It noted that European Union law required that any regime allowing access to data held by
communications service providers had to be limited to the purpose of combating “serious crime”,
and that access be subject to prior review by a court or independent administrative body. As the EU
legal order is integrated into that of the UK and has primacy where there is a conflict with domestic
law, the Government had conceded in a recent domestic case that a very similar scheme introduced
by the Investigatory Powers Act 2016 was incompatible with fundamental rights in EU law because it
did not include these safeguards. Following this concession, the High Court ordered the Government
to amend the relevant provisions of the Act. The Court therefore found that as the Chapter II regime
also lacked these safeguards, it was not in accordance with domestic law as interpreted by the
domestic authorities in light of EU law. As such, there had been a violation of Article 8.

In respect of the bulk interception regime, the Court expressed particular concern about the absence
of any published safeguards relating both to the circumstances in which confidential journalistic
material could be selected intentionally for examination, and to the protection of confidentiality
where it had been selected, either intentionally or otherwise, for examination. In view of the
potential chilling effect that any perceived interference with the confidentiality of journalists’
communications and, in particular, their sources might have on the freedom of the press, the Court
found that the bulk interception regime was also in violation of Article 10.

When it came to requests for data from communications service providers under Chapter II, the
Court noted that the relevant safeguards only applied when the purpose of such a request was to
uncover the identity of a journalist’s source. They did not apply in every case where there was a
request for a journalist’s communications data, or where collateral intrusion was likely. In addition,
there were no special provisions restricting access to the purpose of combating “serious crime”. As a
consequence, the Court also found a violation of Article 10 in respect of the Chapter II regime.

On the final issue of passing on the info to foreign intelligence agencies, the court didn't find any human rights issues there:

The Court found that the procedure for requesting either the interception or the conveyance of
intercept material from foreign intelligence agencies was set out with sufficient clarity in the
domestic law and relevant code of practice. In particular, material from foreign agencies could only
be searched if all the requirements for searching material obtained by the UK security services were
fulfilled. The Court further observed that there was no evidence of any significant shortcomings in
the application and operation of the regime, or indeed evidence of any abuse.

It would have been nice if there was more of a blanket recognition of the problems of bulk interception and mass surveillance. Unfortunately the court didn't go that far. But at the very least this has to be seen as a pretty massive vindication of Snowden whistleblowing on the lack of oversight to protect privacy and the lack of safeguards to prevent telcos from sharing information with the government that should have been protected.

According to The Intercept's investigation, there are eight of these datacenters/hubs scattered around the United States. And the NSA is utilizing these to grab data and communications from all over the world. Like the one in Manhattan, the other AT&T/NSA structures are structurally hardened, largely devoid of windows, and bristling with communications equipment... not all of it belonging to AT&T.

Atlanta, Chicago, Dallas, Los Angeles, New York City, San Francisco, Seattle, and Washington, D.C. In each of these cities, The Intercept has identified an AT&T facility containing networking equipment that transports large quantities of internet traffic across the United States and the world. A body of evidence – including classified NSA documents, public records, and interviews with several former AT&T employees – indicates that the buildings are central to an NSA spying initiative that has for years monitored billions of emails, phone calls, and online chats passing across U.S. territory.

This isn't just a collection of AT&T customers' communications. Its partnerships with other telcos and internet providers allows the NSA to harvest communications from a variety of service providers. These eight locations are "backbones," which means almost everything being carried by AT&T flows through at least one of these centers. Former AT&T employees interviewed by The Intercept indicate there has been a concerted effort made by AT&T to ensure the NSA has access to as much data and communications as possible.

"I worked with all of them," said Philip Long, who was employed by AT&T for more than two decades as a technician servicing its networks. Long's work with AT&T was carried out mostly in California, but he said his job required him to be in contact with the company's other facilities across the U.S. In about 2005, Long recalled, he received orders to move "every internet backbone circuit I had in northern California" through the San Francisco AT&T building identified by The Intercept as one of the eight NSA spy hubs. Long said that, at the time, he felt suspicious of the changes, because they were unusual and unnecessary. "We thought we were routing our circuits so that they could grab all the data," he said. "We thought it was the government listening."

Former employee Mark Klein claimed the NSA installed its own equipment at some of the hubs several years ago. Those interviewed by the Intercept confirm this, pointing out that some hubs proactively made copies of everything flowing through these centers for the surveillance agency. Most of what's harvested avoids the oversight of the FISA court by being obtained under Executive Order 12333. This Reagan directive granted "transit" authority, allowing the NSA to intercept foreign communications as they traversed hubs located in the United States.

As The Intercept points out, this collection has run into trouble in the FISA court. Even though AT&T apparently deploys filters to sort communications by originating IP addresses to remove as many domestic communications as possible, the NSA was still able to scoop up plenty of US persons' communications. This led to a ruling by the FISA court ordering the NSA to fix the program or shut it down. It chose to "fix" it, which involved nothing more than tossing up a warning on analysts' screens that the haystacks they were perusing contained domestic communications, warning them to "not read" the communications of non-target US persons. This worked about as well as you would expect, leading to a neverending string of "compliance incidents" that somehow managed to fall outside the generous coverage granted to the agency with the 2008 FISA Amendments Act.

This latest revelation isn't going to undermine AT&T's "Death Star" reputation. The company is awful on so many levels (routinely terrible customer service, supervillainistic behavior) that finding out it's carrying on a nationwide relationship with the NSA is hardly a surprise. But we should expect more from the companies we trust with our data and communications. We need companies that play hard-to-get, not those that immediately assume compromising positions the moment the government hints it wants to be deep inside them.

from the but-top-EU-court's-views-may-matter-more dept

In the wake of Snowden's revelations of the scale of mass surveillance around the world, various cases have been brought before the courts in an attempt to stop or at least limit this activity. One involved Sweden's use of bulk interception for gathering foreign intelligence. A public interest law firm filed a complaint at the European Court of Human Rights (ECtHR). It alleged that governmental spying breached its privacy rights under Article 8 of the European Convention on Human Rights (pdf). The complaint said that the system of secret surveillance potentially affected all users of the Internet and mobile phones in Sweden, and pointed out that there was no system for citizens to use if they suspected their communications had been intercepted. The ECtHR has just ruled that "although there were some areas for improvement, overall the Swedish system of bulk interception provided adequate and sufficient guarantees against arbitrariness and the risk of abuse":

In particular, the scope of the signals intelligence measures and the treatment of intercepted data were clearly defined in law, permission for interception had to be by court order after a detailed examination, it was only permitted for communications crossing the Swedish border and not within Sweden itself, it could only be for a maximum of six months, and any renewal required a review. Furthermore, there were several independent bodies, in particular an inspectorate, tasked with the supervision and review of the system. Lastly, the lack of notification of surveillance measures was compensated for by the fact that there were a number of complaint mechanisms available, in particular via the inspectorate, the Parliamentary Ombudsmen and the Chancellor of Justice.

When coming to that conclusion, the Court took into account the State's discretionary powers in protecting national security, especially given the present-day threats of global terrorism and serious cross-border crime.

It might have been too much to expect bulk intercept ruled out in principle, but it is surprising to see a retreat from existing standards on safeguards.

McIntyre played a leading role in one of the key cases brought against mass surveillance, by Digital Rights Ireland in 2014. It resulted in the EU's top court, the Court of Justice of the European Union (CJEU), ruling the EU's Data Retention Directive was "invalid". As McIntyre notes, the detailed ECtHR analysis mentions the CJEU decision, but not the more recent ruling by the latter that struck down the "Safe Harbor" framework because of mass surveillance by the NSA.

The judgment significantly waters down safeguards previously developed by the ECtHR in relation to notification and possibility of a remedy against unlawful surveillance.

For example, McIntyre points out the ECtHR accepted that it is necessary for the Swedish signals intelligence service to store raw material before it can be manually processed:

Remarkably weak controls on storage and downstream use of intercept material were accepted by the ECtHR -- in particular, it was satisfied with retention of bulk intercept "raw material" for one year!

Something of a setback in terms of limiting mass surveillance, the latest judgment goes against the general trend of decisions by the arguably more important CJEU court. In 2014 the latter effectively ruled that its own decisions should take precedence over those of the ECtHR if they came into conflict. That is now more likely, given the CJEU's hardening position against mass surveillance, and the diverging judgment from the ECtHR, which shows some softening.

The court found the data retention provisions are at odds with civil liberties protections for a couple of reasons. First, the oversight is too limited to be considered protective of human rights asserted by the EU governing body. As the law stands now, demands for data don't require independent oversight or authorization.

Second, even though the Charter claims demands for data will be limited to "serious crimes," the actual wording shows there are no practical limitations preventing the government from accessing this data for nearly any reason at all.

The decision quotes the Charter's stated reasons for obtaining data, which range from "public safety," to "preventing disorder" to "assessing or collecting taxes." Obviously, the broad surveillance powers will not be limited to "serious crimes," contrary to the government's assertions in court.

First, the wording of the draft declaration is so broad that it would include areas which are outside (or potentially outside) the area of serious crime: for example, the area of national security. As will become apparent later, the issue of whether the area of national security falls within the scope of EU law at all is the subject of dispute between the parties.

The second sentence refers to the government's argument: that UK national security concerns trump European law. Unfortunately, the High Court does not provide an answer as to whether UK law can ignore CJEU decisions when it comes to securing the nation. This will have to wait until after a decision is handed down in another challenge to the surveillance law.

[I]n our view, although the terms of section 94 of the 1984 Act and the terms of Part 4 of the 2016 Act are not identical, the questions which have been referred by the IPT are not confined to the precise scope of section 94. Rather they raise broader questions about the scope of EU law, having regard to Article 4 TEU and Article 1(3) of the e-Privacy Directive; and also raise the particular question of whether any of the Watson CJEU requirements apply in the field of national security.

For those reasons we refuse the application by the Claimant to make a reference to the CJEU on this question. This part of this claim will be stayed pending the CJEU’s decision in the reference in the Privacy International case.

In the end, the court decides this part of the Snoopers Charter must be stricken and rewritten to comply with EU privacy protections. The UK government has six months to fix the law. Until that point, it appears UK agencies will still be able to demand data in bulk under the Charter draft. Once the fixes are in and enacted, bulk collections of internet browsing data and communications metadata will cease… at least until the UK exits the European Union.

from the Privilege-for-me-not-for-thee dept

Over the weekend Trump tweeted:

Attorney Client privilege is now a thing of the past. I have many (too many!) lawyers and they are probably wondering when their offices, and even homes, are going to be raided with everything, including their phones and computers, taken. All lawyers are deflated and concerned!

Attorney Client privilege is now a thing of the past. I have many (too many!) lawyers and they are probably wondering when their offices, and even homes, are going to be raided with everything, including their phones and computers, taken. All lawyers are deflated and concerned!

Attorney-client privilege is indeed a serious thing. It is inherently woven into the Sixth Amendment's right to counsel. That right to counsel is a right to effective counsel. Effective counsel depends on candor by the client. That candor in turn depends on clients being confident that their communications seeking counsel will be confidential. If, however, a client has to fear the government obtaining those communications then their ability to speak openly with their lawyer will be chilled. But without that openness, their lawyers will not be able to effectively advocate for them. Thus the Sixth Amendment requires that attorney-client communications – those communications made in the furtherance of seeking legal counsel – be privileged from government (or other third party) view.

So Trump is right: attorney-client privilege in America is under attack, and ever since we started learning about these programs lawyers have definitely been worried about how they impose an intolerableburden on the Sixth Amendment right to counsel. But unlike in Trump's situation where there is serious reason to doubt whether there's any privilege to be maintained at all (after all, privilege only applies to communications made in the course of seeking legal counsel, not communications made for other purposes, including the furtherance of crime or fraud), and care being taken to preserve what privilege there may be, bulk surveillance sweeps up all communications, including all those for which there is no doubt as to their privileged status, and without any sort of care taken to protect these sensitive communications from the prying eyes of the state. Indeed, the whole point of bulk surveillance is so that the prying eyes of the state can get to see who was saying what to whom without any prior reason to target any of these communications in particular, because with bulk surveillance there is no targeting: it swoops up everything, privileged or not.

If Trump truly finds it troubling for the government to be able obtain privileged communications he could put an end to these programs. It would certainly help make any argument he raises about how his own privilege claims should be sacrosanct rings ring less hollow if his administration weren't currently being so destructive to everyone else's.

from the of-course,-when-you're-the-government,-you-just-have-the-laws-changed dept

The UK's mass surveillance programs haven't been treated kindly by the passing years (2013-onward). Ever since Snowden began dumping details on GCHQ surveillance, legal challenges to the lawfulness of UK bulk surveillance have been flying into courtrooms. More amazingly, they've been coming out the other side victorious.

In 2015, a UK tribunal ruled GCHQ had conducted illegal surveillance and ordered it to destroy intercepted communications between detainees and their legal reps. In 2016, the UK tribunal declared GCHQ's bulk collection of communications metadata illegal. However, the tribunal did not order destruction of this collection, meaning GCHQ is likely still making use of illegally-collected metadata.

A second loss in 2016 -- this time at the hands of the EU Court of Justice -- found GCHQ's collection of European communications being declared illegal due to the "indiscriminate" (untargeted) nature of the collection process. The UK government appealed this decision, taking the ball back to its home court. And, again, it has been denied a victory.

The court of appeal ruling on Tuesday said the powers in the Data Retention and Investigatory Powers Act 2014, which paved the way for the snooper’s charter legislation, did not restrict the accessing of confidential personal phone and web browsing records to investigations of serious crime, and allowed police and other public bodies to authorise their own access without adequate oversight.

The three judges said Dripa was “inconsistent with EU law” because of this lack of safeguards, including the absence of “prior review by a court or independent administrative authority”.

Hey, the elimination of privacy safeguards is just the price that has to be paid when the nation's security can only be guaranteed by rushed, liberty-violating legislation dropped onto the floor shortly before closing time. If power is going to be consolidated, it needs to be done with a little debate as possible. Built-in safeguards for citizens' privacy is something that can be relegated to an afterthought. And that afterthought need never be brought up again.

Those powers - granted by DRIPA -- have been declared illegal. That's going to cause problems for the Snooper's Charter, which is DRIPA's surveillance state successor. Chances are the problem will be dealt with by erecting a few minimal privacy protections while codifying prior surveillance abuses. And since this only upholds an EU court decision, it will mean less than nothing once Britain completes its exit from the Union.

The good news is the court's decision backs up what critics have been saying for years: bulk interception of communications violates UK law, and the supposed oversight these collections receive falls far short of what's required to make the collections legal again.

This order was immediately stayed to allow the government to appeal (and to continue harvesting domestic phone records in bulk). The Appeals Court disagreed with Leon, sending the case back for another ruling. It didn't change anything at the lower level. Judge Leon still found the program unconstitutional and ordered the NSA to stop collecting the phone records of the two named plaintiffs.

Shortly after this ruling, the USA Freedom Act ended the NSA's bulk collection of phone records, largely rendering the lawsuit moot. After another round of appeals, the government asked Judge Leon to dismiss the case entirely. Judge Leon has done so, agreeing with the government that the implementation of the USA Freedom Act prevents it from collecting phone records in bulk and brings it in line with the injunction previously issued by Leon. The plaintiffs were hoping a round of discovery would produce records substantiating their claims of warrantless surveillance of the single named client. Judge Leon has denied additional requests by the plaintiffs and dismissed [PDF] the case with prejudice.

[E]ven if plaintiffs were able to establish -- through jurisdictional discovery -- that the NSA had, in fact, collected their telephony metadata, they still would not be able to overcome the jurisdictional defect in this case. Because bulk collection under Section 215 is now prohibited by statute, plaintiffs' claims for injunctive relief against bulk collection are moot, regardless of whether the Government actually collected and queried plaintiffs' telephony metadata pursuant to the Section 215 program in the past.

The decision closes with Judge Leon expressing his hope the Supreme Court might step in and address the Third Party Doctrine directly and more closely examine the "expectation of privacy" concept in the context of today's communication methods. (This is why the upcoming Carpenter case -- dealing with warrantless collection of historical cell site information -- bears watching.)

While the zeal and vigilance with which plaintiffs have sought to protect our Constitutional rights is indeed laudable, this Court, in the final analysis, has no choice but to dismiss these cases for plaintiffs' failure to demonstrate the necessary jurisdiction to proceed. I do so today, however, well aware that I will not be the last District Judge who will be required to determine the appropriate balance between our national security and privacy interests during this never-ending war on terror. Hopefully by the time these issues are next joined, our Supreme Court will have had the opportunity to provide us with further guidance on the parameters of our privacy interests in this era of ever-increasing electronic communication. If not, concerned citizens such as these will continue to shoulder the heavy yoke that vigilance to our Constitutional liberties surely requires.

from the mostly-true-and-mostly-misleading dept

As the clock winds down to the end of the year, the NSA (along with the FBI, CIA, and other government components with access to NSA collections) is hoping it won't have its internet surveillance programs limited in any way. So far, it's receiving plenty of help from the Senate Intelligence Committee, which has offered up a zero-reform package. (The House has its own version, which actually includes a few reforms, but it still leaves plenty of loopholes for domestic surveillance.)

The NSA chooses to focus solely on Section 702 and the issue of targeting. But these focal points are misleading. The NSA has plenty of ways of obtaining US persons' communications without targeting them. On top of that, the NSA has a few options for targeting US persons that go completely unmentioned. And the FBI is allowed to target US persons for a number of reasons using NSA surveillance programs -- again, something the Q&A ignores completely.

Section 702 surveillance is done under Title VII, which also includes US person-targeting authorities like Section 704 and 705(b). Not much discussion has centered on these two authorities because they aren't used that often. But they do absolutely allow the NSA to target US persons, unlike Section 702.

But there are problems with Section 702's foreign-facing work as well. In addition to targeting adversaries, Section 702 also allows the NSA to target friendly foreigners, like high-ranking government officials. Even while remaining foreign-focused, the program has still swept up US persons' communications. Some of this "incidental" collection was eliminated when the NSA dropped its "about" email collection. But even with its voluntary move, the NSA is still sweeping up US communications inadvertently.

This is a boon for the FBI, which is allowed to perform backdoor searches on Americans for evidence of criminal activity. This isn't limited to terrorist activity or foreign crimes. The bill offered up by the Senate would actually expand the FBI's use of NSA collections by adding a number of new crimes to the list of search justifications.

Curiously, while the NSA doesn't address the disproportionate impact of 702 on Muslims, it does pretend to address the disproportionate impact on Asians or their family members — people like like Xiaoxiang Xi and Keith Gartenlaub.

Q: Could the government target my colleague, who is a citizen of an Asian country, as a pretext to collect my communications under Section 702?

A: No. That would be considered "reverse targeting" and is prohibited.

conduct unlimited warrantless searches on Americans, disseminate the results of those searches, and use that information against those Americans, so long as it has any justification at all for targeting the foreigner.

Effectively, the government has morphed the "significant purpose" logic from the PATRIOT Act onto 702, meaning collecting foreign intelligence doesn't have to be the sole purpose of targeting a foreigner; learning about what an American is doing, such as a scientist engaging in scientific discussion, can be one purpose of the targeting.

The NSA tops off its Q&A by (accurately) claiming it can't search 702 collections for US person information. But it does not point out other government agencies can -- and can do it with very little oversight. That's what the FBI does routinely but not once in the Q&A will you find any reference to outside agency data store access.

The NSA's pro-702 pitch may be factual, but only because it carefully excises all of the inconvenient facts -- ones that might cause more people to question the collection and data search procedures being renewed.